Azure VPN – IKE/Authip Quick Mode Failure

Azure VPN – IKE/Authip Quick Mode Failure

Posted by on Monday, October 10th, 2016  


Recently, while working on an Azure project that involved setting up site-to-site VPN connections for a customer we ran into an issue where we were getting an authentication failure when attempting to connect the on-premises VPN gateway with the Azure VPN gateway. Specifically, we were seeing the following errors in the AzureVnetGateway diagnostics.

Event Header:
  Timestamp: 1601-01-01T00:00:00.000Z
  Flags: 0x00000100
   IP version field set
  IP version: IPv4
  IP protocol: 0
  Local address:
  Remote address:
  Local Port: 0
  Remote Port: 0
  Application ID:
  User SID: <invalid>
Failure type: IKE/Authip Quick Mode Failure
Type specific info:
  Failure error code:0x000035e9
   IKE authentication credentials are unacceptable
  Failure point: Local
  Keying module type: IKEv2
  QM State: Initial state, no QM packets sent
  QM SA role: Initiator
  Mode: Tunnel Mode
  Local Subnet:
   IPv4 Addr & Mask:
  Remote Subnet:
   IPv4 Addr & Mask:
  QM Filter ID: 0x0000000000105bd9

Searching the internet leads you to numerous posts about this being a certificate related issue. Unfortunately, those directions are not accurate in this case because a site-to-site VPN doesn’t use certificates for authentication. Instead, it relies on a pre-shared key.

What we found in our case, was that while the pre-shared key set by Azure when the VPN gateway was created matched in both the Azure VPN gateway and the on-premises VPN gateway configuration; the key was too long for the particular Checkpoint device to recognize.

Posted by on Monday, October 10th, 2016  

Subscribe to RSS Feed

Sign Up for Newsletter

Leave a Reply